Embodiments of the present invention relate to computer systems and, in particular, to access control within a computer system.
With the continual proliferation of information technologies, an ever-increasing volume of data is in digital form and securing such data is a major challenge faced by most enterprises today, requiring protection of data at every access point by deploying more secure, yet at the same time, more accessible systems. Commercial companies host their web sites on servers that are networked with other of the organization's computer assets. Many commercial and non-commercial (e.g., government, military, health and educational) organizations communicate across networks and access the web from workstations that are also networked with systems storing and processing sensitive data. The widespread adoption of mobile devices and associated applications has added a further dimension, with such devices being increasingly used for banking and consumer transactions. The subversion of a single client or server provides an attacker with immediate connectivity to the information and computing resources of an entire organization, thereby compromising confidential information and potentially creating havoc in the operations of the organization. The number of data attacks has more than tripled in the past five years, making the need to balance security with increasing access demands, an even greater priority.
The typical elements in developing a security model are confidentiality, integrity, accessibility and data assurance. Data confidentiality is ensured by restricting disclosure to authorized access only, while data integrity guarantees that the data is protected from modification, whether deliberate or accidental. Data accessibility implies ease of access to data, while data assurance implies that a specific implementation provides a degree of confidence about pre-established security goals with, for example, confidentiality being paramount in defense applications and both confidentiality and data integrity being equally relevant in healthcare and financial applications.
Multi-level security models use a classification approach according to the sensitivity of data. Data with different security classifications can all reside in a single domain and be received, processed, stored and disseminated even though, not all users within the domain have the security clearance to access all the data within the domain. The best known multi-level security models are Bell-LaPadula and Biba in which a system comprises subjects and objects, with read operations involving data flowing from a object to a subject and write operations involving data flow from a subject to an object.
The Bell-LaPadula model deals with data confidentiality only, with each subject and object having a security level consisting of a classification or a clearance (i.e. SECRET, CLASSIFIED etc) which denotes the data's level of protection. The Bell-LaPadula model enforces two properties: (i) the simple security property: a subject at a given level of security must not read an object at a higher security level (no read up); and (ii) the *-property: a subject at a given level of security must not write to an object at a lower security level (no write down).
The Biba model deals with integrity alone, ignoring confidentiality entirely and also enforces two properties which are reverse to those of Bell-LaPadula: (i) the simple integrity property: a subject at a given level of integrity must not read an object at a lower integrity level (no read down); and (ii) the * integrity property: a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).
Although both the Bell-LaPadula and Biba security models have attempted to deal with dataflow across multi levels of security, they are both notoriously restrictive and inflexible. Both models effectively allow dataflow in one direction only, Bell-LaPadula permitting read-down and write-up (relative to security level) only, thereby ensuring data confidentiality and Biba permitting read-up and write-down only, thereby ensuring data integrity. However, neither model ensures both data integrity and confidentiality. If implemented strictly, both models have inherent problems as it is not possible practically, to implement a system where data only goes in one direction.
“Workarounds” have evolved in attempts to implement both models in practical situations, such as allowing limited bandwidth flow in forbidden direction. However, this is, in effect, a form of declassification will always compromise security of a system to at least some extent. In addition, such declassification usually involves increasing the security or integrity level of a subject or object in order to minimise risk, which eventually leads to most subjects/objects having the top level of security or integrity which effectively results in a system that has no security or integrity level partitioning. In order to ensure security of the most sensitive components and data of a system, Chinese Wall approaches have been used, involving building huge defensive mechanisms around these components, but again, this results in inflexibility of the system and is not an economical use of resources.